Skip to content

feat(hubble): modernize graph workbench experience#19

Open
imbajin wants to merge 102 commits into
masterfrom
cx-hubble-ui-ux2-pr
Open

feat(hubble): modernize graph workbench experience#19
imbajin wants to merge 102 commits into
masterfrom
cx-hubble-ui-ux2-pr

Conversation

@imbajin

@imbajin imbajin commented Jul 12, 2026

Copy link
Copy Markdown

What this PR delivers

This PR turns Hubble into a cohesive graph workbench with native operations, centralized
authorization context, safer credential handling, and recoverable end-to-end journeys. Native
monitoring no longer depends on Dashboard or Grafana; Dashboard remains an optional advanced
entry.

Product and workflow modernization

  • Unifies navigation and GraphSpace/graph context across graph management, Schema, Gremlin,
    algorithms, async tasks, data sources/import, accounts, profile, and Operations.
  • Connects the primary journeys from workspace onboarding through Schema/data preparation,
    query, result inspection, and task recovery; direct URLs and legacy aliases now resolve to a
    stable destination or an actionable error state.
  • Adds consistent loading, empty, partial, stale, unsupported, error, retry, and canonical-back
    states, plus keyboard focus, accessible names, localized status text, and responsive desktop
    layouts.
  • Completes a fresh inventory of all 30/30 production routes; current audit result is
    P0 = 0, P1 = 0, with no unresolved actionable P2.

Native cluster Operations

  • Adds capability-protected Cluster Overview, Nodes, and Node Detail routes.
  • Aggregates existing Server, PD, and Store facts into stable allowlisted DTOs with per-source
    freshness, bounded caches/fan-out, response limits, timeouts, and explicit partial/stale state.
  • Covers 3/30/300-node topology behavior, PD Leader changes, node filtering/search/pagination,
    and independent system/drive/Raft/backend metric groups.
  • Preserves healthy sources when Server, PD, Store, or one Store is unavailable; an unavailable
    Dashboard never blocks native monitoring.

Authorization and security contract

Area Current behavior
Roles Backend emits one minimal SUPERADMIN / SPACEADMIN / USER capability/action context; the frontend does not infer security permissions from role names or cached flags.
Operations Only SUPERADMIN can access cluster Operations; standalone ADMIN maps through the backend compatibility context, while standalone USER remains restricted.
GraphSpace administration SPACEADMIN can manage only members, roles, targets, and grants inside assigned spaces; global account/space operations remain SUPERADMIN-only.
Credentials Hubble does not retain login passwords or issue user tokens. Loader retry/resume rebuilds credentials from the current authenticated context instead of persisting them in task metadata.
Isolation 401/403, direct URL denial, downgrade, same-origin account switching, stale responses, browser-cache partitioning, IDOR, foreign-role/target injection, and scoped mutations are covered.
Disclosure boundaries Passwords, tokens, authorization/cookie headers, service secrets, private keys, upstream paths, raw queries, and internal exception details are removed from DTOs, DOM, logs, and public errors.
Internal services PD/Store access stays behind Hubble with explicit target allowlists, trusted discovery, DNS/SSRF checks, bounded reads, and secret-safe diagnostics.

Deployment compatibility

  • Supports both PD-backed deployments and authenticated standalone Server deployments.
  • Standalone mode has bounded graph-profile fallback, ADMIN/USER account metadata compatibility,
    localized unsupported PD/Store states, and token-authenticated Gremlin execution.
  • The matching Server/PD/Store compatibility changes are in
    hugegraph/hugegraph#161.
  • This PR intentionally does not add a complete alert engine, notification channels,
    historical time-series storage, mobile layouts, or production capacity policy.

UI evidence

Real Chrome validation covers PD and standalone deployments, role/login switching, source
failure/recovery, and five desktop viewports: 1280×720, 1366×768, 1440×900, 1920×1080, and
2560×1440.

Verification — current head ec034d0a

  • Hubble frontend: 135 suites / 730 tests passed; ESLint passed; zh-CN/en-US parity
    2239/2239 keys with 1525 statically referenced keys; production build passed.
  • Hubble backend affected/full profiles, Java Client unit suite, Checkstyle, RAT/license checks,
    and cross-module regression gates passed.
  • Hubble package/distribution passed: 417 JARs, 275 license files, 43 frontend license files, and
    10 native-bearing JARs; release tarball SHA-256:
    600a5283f1f576a26227549d783ad11adfa93b84ed2073cd6c8d32d0c02aef06.
  • GitHub: 14/14 checks passed, merge state CLEAN, and 61/61 review threads resolved.
  • Final independent read-only review and targeted re-review: Critical 0 / Important 0 / Minor 0.

imbajin added 30 commits July 12, 2026 14:44
- add route-first GraphSpace and graph selection\n- preserve recent context without cross-space leakage\n- expose source-specific loading errors and retries\n- cover dual-mode, concurrency, and accessibility contracts
- connect overview and Schema with shared graph navigation
- make statistics status and failure recovery explicit
- protect graph route data from stale request results
- add query entry, accessibility labels, and regression tests
- link mode-aware Schema, data source, and import steps
- distinguish failed requests from honest empty states
- isolate stale responses and pause failed polling
- verify real datasource mutation and dual-mode routes
- prevent duplicate task mutations and stale async updates
- preserve task state across recoverable request failures
- isolate detail rows by route task identity
- add accessible task action controls and race tests
- separate history and favorite loading and retry state
- isolate late responses across graph context changes
- pause async polling after failures and while pending
- add task-result retry and explicit empty states
- separate algorithm history and favorite recovery
- prevent pending pagination from rolling back early
- provide stable query table row keys
- contain graph tools within responsive result layouts
- add cached semantic zoom thresholds for dense graph labels
- fit force layouts after final layout completion
- preserve hovered labels across viewport changes
- cover density and zoom boundary contracts
- project BigInt and JSONbig values safely for JSON display
- render table cells without lossy quoting or precision changes
- prevent hidden graph fitting and duplicate layout registration
- redesign login as a balanced accessible desktop shell
- align workspace navigation, surfaces, controls and spacing
- simplify compact graph card labels without changing full graph views
- share the topbar height token and preserve document scrolling
- bound query and algorithm result regions to desktop viewport
- keep table pagination visible with internal scrolling
- compact query and algorithm history panels
- preserve full viewport behavior for 2D and 3D graph modes
- include URL hash in request-time login redirects
- cover HTTP and business 401 redirect contracts
- verify login restores query and hash context
- assert unauthorized requests are not replayed
- centralize PD account administrator policy
- align route guard with sidebar visibility
- redirect unauthorized users before Account mounts
- cover superadmin, space admin, analyst and fallback paths
- label ten icon-only graph controls with localized text
- keep accessible names aligned with existing tooltips
- add regression coverage for query and algorithm tools
- replace fixed empty-table margins with a responsive token
- center empty content without changing populated table rows
- add regression coverage for the global density contract
- apply the shared ring to discrete workbench controls
- move skip-link activation into the main workspace
- scope navigation topbar workspace and login styles
- add DOM and stylesheet regression contracts
- start data preparation from the mode-aware Schema step
- prefer current route context over stored graph context
- share one path contract across home, sidebar, and journey navigation
- keep safe GraphSpace fallbacks when no graph is selected
- release submit loading after validation or request failures
- preserve password fields for non-200 responses and retries
- cover validation, rejection, business error, and success paths
- replace click-only field and selection icons with named buttons
- constrain task names with ellipsis and full-value tooltips
- extend the accessibility contract to cover React icon actions
- add localized accessible names for the new controls
- serialize create, edit, and auth submissions
- clear stale account detail and form state
- ignore late identity responses after switching users
- cover pending, race, and failure recovery
- derive sidebar selection from route and product mode
- highlight the PD schema preparation entry
- preserve non-PD graph metadata under graph understanding
- cover route helper and rendered menu selection
- compact the My profile and password forms with Workbench tokens
- give 404 recovery a bounded surface and direct workspace return
- preserve async task context with a graph-scoped return entry
- cover surface, routing, i18n, and form-alignment contracts
- describe the destructive scope as schema and data\n- replace the misleading data-only API and menu names\n- cover modal copy, canonical route, and card actions\n- preserve exact-name, pending, and recovery behavior
- improve login balance and brand rendering
- clarify navigation information architecture
- expose unavailable operations as coming soon
- render profile empty values consistently
- add guarded keyboard query execution
- expose canvas fullscreen shortcut
- tune force layout for readable graph results
- cover shortcuts and layout behavior with tests
- default fresh sessions to English
- share language fallback across UI and requests
- keep explicit login language selections persistent
- focus graph canvas for fullscreen shortcuts
- prevent selected English journey labels from truncating
- retain the existing collapsed navigation behavior
- target the primary 1080p and 2K desktop layouts
- restore workbench route title helpers and styles\n- keep internal test routes development-only\n- remove duplicated task action definition

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces significant enhancements to the HugeGraph Hubble platform, including a new operations monitoring dashboard, improved authentication and authorization scopes for graph spaces, and refined data import workflows. Key changes include the addition of a LiveOperationsCollector for real-time metrics, enhanced permission checks in BaseController and AccessService, and improved error handling with new exception types. Additionally, the UI has been updated with a new navigation structure, a graph context switcher, and updated i18n resources. I have reviewed the code and suggest addressing the potential type safety issue in GraphsService.java as noted in the feedback.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

- clarify query shortcuts, empty states, and compact results
- correct Schema navigation and documentation paths
- explain operations metrics and external Dashboard scope
- add contextual sidebar expansion and onboarding links
@bitflicker64

Copy link
Copy Markdown

Bug: GQL Traversal fails with JWT; UI force-logs out

Branch tip tested: cx-hubble-ui-ux2-pr @ dcc402e5
Env: local Hubble (pd.enabled=false, server.direct_url=http://127.0.0.1:8080) · Server hugegraph/hugegraph:latest with PASSWORD=admin · login admin/admin · EN · graph hugegraph
Tester: Bitflicker · 2026-07-15

Symptom

After login, GQL Traversal (Gremlin) on a valid query e.g. g.V().limit(10) shows “Query failed. Review the statement…” and the UI force-logs out. Re-login → same loop (also without long idle).

Root cause (verified, not tester setup)

Call Auth Result
REST /graphs, vertices JWT Bearer 200
POST /gremlin same JWT Bearer 401
POST /gremlin Basic admin:admin 200

Hubble always uses the login token (Bearer) for Gremlin. FE treats any status: 401 as session dead → logout + misleading “review statement” copy.

API check: Hubble POST …/gremlin-query → body status: 401, message like Gremlin execute failed… HTTP 401.

Product gaps

  1. Server: /gremlin rejects JWT while other authenticated REST accepts it.
  2. Hubble: maps query 401 → force logout + blames the statement.

- preserve CodeMirror focus across controlled callback updates
- distinguish upstream query auth failures from session expiry
- cover synchronous and asynchronous query authentication paths
- make query failure guidance neutral and actionable
@bitflicker64

Copy link
Copy Markdown

Quick correction — Gremlin JWT retest (clean stack)

After the force-logout fix was pushed, I retested and thought Gremlin was fully working. That was a misread on my side. My temporary local proxy was still on (Mac :8080 rewrote only /gremlin Bearer → Basic for testing), so queries succeeded because of that workaround, not because Server accepted JWT.

I’ve since cleaned the stack, re-pulled hugegraph/hugegraph:latest, retested Hubble on cx-hubble-ui-ux2-pr @ 0037301d, reloaded sample data, proxy off, plain tunnel only.

What I’m seeing on a clean retest

Check Result
REST (e.g. /graphs) + JWT Bearer OK
Gremlin POST /gremlin + JWT Bearer still 401
Gremlin + Basic auth OK
Hubble Gremlin fails, but session stays logged in
UI message clearer after the recent commit: Server rejected query authentication… session still active…

So the commit looks right for the force-logout / bad error copy side. I was wrong to treat “query works” as fixed while the proxy was still masking Server.

What I came up with (please verify)

This is my current read — please double-check, I may still be missing something:

  1. Hubble half (recent commit): remapping upstream Gremlin auth failure so it is not treated as Hubble session expiry → looks correct; force logout is gone; message is much clearer.
  2. Server half (still open on my side): same login JWT works on REST (and Cypher with Bearer works for me), but POST /gremlin still rejects Bearer while Basic works → so Gremlin may be on a different auth path than other APIs.
  3. Earlier “Gremlin works after the push” was proxy still on, not Server JWT fixed.

Question

Does this match how you see it?

  • Hubble UX for this case: done on 0037301d?
  • Remaining product work: Server should accept JWT on /gremlin (same as REST/Cypher)?

If this conclusion is wrong, tell me what I’m missing and I’ll retest that way.

Env (clean): local Hubble pd.enabled=false · server.direct_url=http://127.0.0.1:8080 · library hugegraph/hugegraph:latest core 1.7.0 · PASSWORD=admin · admin/admin · EN · graph hugegraph · sample data loaded · no local auth proxy

@imbajin

imbajin commented Jul 18, 2026

Copy link
Copy Markdown
Author

Verified. The clean-stack conclusion is:

  • Hubble session handling was already correct: an upstream query-auth 401 is mapped to a non-session business failure, so the Hubble login remains active.
  • The remaining /gremlin Bearer gap was in Server's Gremlin HTTP authentication path. The handler authenticated the token but discarded the returned identity instead of storing it in the channel StateKey.AUTHENTICATED_USER.
  • The Server fix is now pushed in feat: support secure Hubble monitoring targets hugegraph#161 at 5b082f8da (native Bearer support; no Bearer-to-Basic proxy or fallback).
  • On fresh independent RocksDB and HStore stacks, with the proxy disabled, REST Bearer, Gremlin Bearer, and Gremlin Basic all returned HTTP 200.
  • Toolchain follow-up e89f7931 also adds direct Cypher upstream-401 coverage, async error-ownership coverage, and query/layout regression tests.

The locally built clean-stack runtime covered the authentication behavior; CI is now running against the exact pushed heads. Chrome confirmed login plus DEFAULT/hugegraph context readiness, but the automation control surface did not dispatch the query-page React action, so I am not treating that browser attempt as additional query-success evidence.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants